CVE-2026-6410 — @fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path() function resolves directories outside the configured static — CVE Database · The Intelligence Room